Your employees already use AI. The question is: with policy or outside your view?
ChatGPT, Copilot and AI features in SaaS tools often move faster than policy, logging and training. We make shadow AI visible within agreed scope and turn it into workable guardrails, register action and evidence.
Why this is urgent now
Employees do not wait for a governance program. They summarize documents, rewrite customer emails, review contracts and analyze data. Without visibility into tools, data and agreements, you get data leakage risk, unreliable output and missing AI Act evidence.
Recognizable signals
Shadow AI usually starts because people move fast under pressure, not because they want to bypass governance.
Teams use public AI tools with customer data, employee data or internal documents.
IT knows which tools are officially approved, but not which AI features in SaaS are already being used.
Legal and compliance receive AI Act or GDPR questions, but lack an overview of actual use.
Managers want AI productivity, but have no clear do's, don'ts and review rules.
HR or L&D ran training, but does not know whether people apply AI in risky workflows.
Procurement relies on vendor claims without knowing which AI features employees actually enable.
What do we map?
We do not promise magical full discovery. Shadow AI is partly hidden by definition. Within agreed scope, we make known and reasonably discoverable AI usage patterns concrete.
Tools and AI features
Public AI tools, Copilot-like use, SaaS AI features and vendor functions teams use or want to use.
Data and confidentiality
Which data may end up in prompts, uploads, summaries, exports or analyses.
Use cases and teams
Where AI is used for client work, HR, legal, finance, support, marketing, product or leadership.
Policy gaps
Where rules are missing for approval, source control, human review, logging, storage or output use.
AI Act and GDPR signals
Where AI literacy, transparency, DPIA/FRIA, vendor evidence or register action may be needed.
First controls
Concrete guardrails: approved tools, prohibited data types, review rules, escalation path and training.
Approach
1. Scope freeze
We choose the teams, processes, tools and vendors included in the first scan.
2. Shadow AI discovery
We combine short interviews, tool overviews, SaaS context, policy and practical examples.
3. Risk and control map
We record where data risk, hallucination risk, vendor dependency, register action or training gaps appear.
4. Workable AI rules
You get a compact route toward policy, register, training and technical or organizational controls.
Logical next steps
AI inventory and register setup
Record known and reasonably discoverable AI systems with owner, purpose, risk and evidence status.
View routeAI Act readiness and gap analysis
Turn shadow AI signals into classification, gap matrix and 30-60-90 day roadmap.
View routeAI literacy evidence 2026
Make sure employees do not only use AI, but can show they understand what is allowed.
View routeFrequently asked questions
Can you find all shadow AI?
No, and that would not be a reliable claim. Shadow AI is partly hidden. We work within agreed scope and map known and reasonably discoverable tools, use cases and risks.
Should we block AI first?
Not automatically. Often the better route is to make usage visible, separate risk levels, define approved tools, protect sensitive data and train employees.
Is this a technical security audit?
No. This is a governance and implementation scan. We review tools, processes, data, policy, roles and evidence. Technical logging or DLP can be a next step with IT/security.
How does this relate to the AI Act?
Without visibility into AI use, you cannot reliably decide which systems belong in a register, which roles need training and where vendor, DPIA/FRIA or transparency signals appear.
Who is this for?
Leadership, IT, security, legal, privacy, compliance, HR and operations teams that want to enable AI without losing control.
Do you know where employees use AI with sensitive context?
Start with the Gap Intake. We define which teams, tools and processes belong in a first Shadow AI Scan.
Map shadow AI